Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Anonymous Collective ...

 Dark Web News

In a recent development on the dark web, the Anonymous Collective hacker group has introduced a referral program for its Privacy Shield VPN and CloudStorm DDoS services. The group is offering a complimentary plan to individuals who successfully refer clients making purchases from their VPN and DDoS offerings. The   show more ...

announcement emblazoned with the trademark CLOUDSTORM DDOS EST.2024, signifies a step forward in incentivizing the group’s clientele. The referral program spans both the Privacy Shield VPN and CloudStorm DDoS services, aiming to reward those who bring new customers into the fold. Anonymous Collective Privacy Shield VPN and DDoS Services Source: Daily Dark Web on X Under the program, if a referrer brings in a client who purchases any plan from the VPN service, they receive a free three-month plan. Similarly, for clients subscribing to any plan from the DDoS service, the referrer is granted three free hours to target and attack any specified destination. Notably, the value of the client’s purchase does not impact the rewards – a unique and inclusive approach by Anonymous Collective. This move comes on the heels of Anonymous Collective’s recent threat to release hacked data from a major Egyptian government website. The hacker group is demanding immediate action from the Egyptian government regarding their perceived lack of support for Palestinians and hindrance to humanitarian aid to Gaza. Cyberattack on the Egyptian government Source: X In a strongly-worded message directed at President El-Sisi, the group accuses the Egyptian government of misleading statements regarding their role in the Gaza humanitarian crisis. The group contends that Egypt, as the sole country bordering Gaza, has failed to offer substantial support or assistance to the Palestinians during the ongoing crisis. Source: X Anonymous Collective insists on an immediate policy shift, demanding that the Egyptian government provide assistance to Palestinian refugees and facilitate the entry of humanitarian aid into Gaza. The threat of a substantial data leak looms large, with the group warning that if there is no response from the Egyptian government by the stipulated time, all exfiltrated data will be made public. As the Anonymous Collective continues to make waves with its provocative actions, the introduction of the referral program adds a new dimension to its operations. It remains to be seen how this initiative will impact the group’s standing within the dark web world and whether it will attract a surge of new clients to their Privacy Shield VPN and CloudStorm DDoS services. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Using ambient light ...

 Business

An article in Science Magazine published mid-January describes a non-trivial method of snooping on smartphone users through an ambient light sensor. All smartphones and tablets have this component built-in — as do many laptops and TVs. Its primary task is to sense the amount of ambient light in the environment the   show more ...

device finds itself in, and to alter the brightness of the display accordingly. But first we need to explain why a threat actor would use a tool ill-suited for capturing footage instead of the target devices regular camera. The reason is that such ill-suited sensors are usually totally unprotected. Lets imagine an attacker tricked a user into installing a malicious program on their smartphone. The malware will struggle to gain access to oft-targeted components, such as the microphone or camera. But to the light sensor? Easy as pie. So, the researchers proved that this ambient light sensor can be used instead of a camera; for example, to get a snapshot of the users hand entering a PIN on a virtual keyboard. In theory, by analyzing such data, its possible to reconstruct the password itself. This post explains the ins and outs in plain language. Taking shots with a light sensor. Source A light sensor is a rather primitive piece of technology. Its a light-sensitive photocell for measuring the brightness of ambient light several times per second. Digital cameras use very similar (albeit smaller) light sensors, but there are many millions of them. The lens projects an image onto this photocell matrix, the brightness of each element is measured, and the result is a digital photograph. Thus, you could describe a light sensor as the most primitive digital camera there is: its resolution is exactly one pixel. How could such a thing ever capture whats going on around the device? The researchers used the Helmholtz reciprocity principle, formulated back in the mid-19th century. This principle is widely used in computer graphics, for example, where it greatly simplifies calculations. In 2005, the principle formed the basis of the proposed dual photography method. Lets take an illustration from this paper to help explain: On the left is a real photograph of the object. On the right is an image calculated from the point of view of the light source. Source Imagine youre photographing objects on a table. A lamp shines on the objects, the reflected light hits the camera lens, and the result is a photograph. Nothing out of the ordinary. In the illustration above, the image on the left is precisely that — a regular photo. Next, in greatly simplified terms, the researchers began to alter the brightness of the lamp and record the changes in illumination. As a result, they collected enough information to reconstruct the image on the right — taken as if from the point of view of the lamp. Theres no camera in this position and never was, but based on the measurements, the scene was successfully reconstructed. Most interesting of all is that this trick doesnt even require a camera. A simple photoresistor will do just like the one in an ambient light sensor. A photoresistor (or single-pixel camera) measures changes in the light reflected from objects, and this data is used to construct a photograph of them. The quality of the image will be low, and many measurements must be taken — numbering in the hundreds or thousands. Experimental setup: a Samsung Galaxy View tablet and a mannequin hand. Source Lets return to the study and the light sensor. The authors of the paper used a fairly large Samsung Galaxy View tablet with a 17-inch display. Various patterns of black and white rectangles were displayed on the tablets screen. A mannequin was positioned facing the screen in the role of a user entering something on the on-screen keyboard. The light sensor captured changes in brightness. In several hundred measurements like this, an image of the mannequins hand was produced. That is, the authors applied the Helmholtz reciprocity principle to get a photograph of the hand, taken as if from the point of view of the screen. The researchers effectively turned the tablet display into an extremely low-quality camera. Comparing real objects in front of the tablet with what the light sensor captured. Source True, not the sharpest image. The above-left picture shows what needed to be captured: in one case, the open palm of the mannequin; in the other, how the user appears to tap something on the display. The images in the center are a reconstructed photo at 32×32 pixel resolution, in which almost nothing is visible — too much noise in the data. But with the help of machine-learning algorithms, the noise was filtered out to produce the images on the right, where we can distinguish one hand position from the other. The authors of the paper give other examples of typical gestures that people make when using a tablet touchscreen. Or rather, examples of how they managed to photograph them: Capturing various hand positions using a light sensor. Source So can we apply this method in practice? Is it possible to monitor how the user interacts with the touchscreen of a tablet or smartphone? How they enter text on the on-screen keyboard? How they enter credit card details? How they open apps? Fortunately, its not that straightforward. Note the captions above the photographs in the illustration above. They show how slow this method works. In the best-case scenario, the researchers were able to reconstruct a photo of the hand in just over three minutes. The image in the previous illustration took 17 minutes to capture. Real-time surveillance at such speeds is out of the question. Its also clear now why most of the experiments featured a mannequins hand: a human being simply cant hold their hand motionless for that long. But that doesnt rule out the possibility of the method being improved. Lets ponder the worst-case scenario: if each hand image can be obtained not in three minutes, but in, say, half a second; if the on-screen output is not some strange black-and-white figures, but a video or set of pictures or animation of interest to the user; and if the user does something worth spying on… — then the attack would make sense. But even then — not much sense. All the researchers efforts are undermined by the fact that if an attacker managed to slip malware onto the victims device, there are many easier ways to then trick them into entering a password or credit card number. Perhaps for the first time in covering such papers (examples: one, two, three, four), we are struggling even to imagine a real-life scenario for such an attack. All we can do is marvel at the beauty of the proposed method. This research serves as another reminder that the seemingly familiar, inconspicuous devices we are surrounded by can harbor unusual, lesser-known functionalities. That said, for those concerned about this potential violation of privacy, the solution is simple. Such low-quality images are due to the fact that the light sensor takes measurements quite infrequently: 10–20 times per second. The output data also lacks precision. However, thats only relevant for turning the sensor into a camera. For the main task — measuring ambient light — this rate is even too high. We can coarsen the data even more — transmitting it, say, five times per second instead of 20. For matching the screen brightness to the level of ambient light, this is more than enough. But spying through the sensor — already improbable — would become impossible. Perhaps for the best.

image for US Department of Def ...

 Firewall Daily

The Donut ransomware group has expanded its victim list to include a prominent US Department of Defense contractor. The group, known for its malicious activities, posted a chilling message related to the DOD Contractor cyberattack on the dark web, signaling a brazen move against national security. The dark web   show more ...

message, which was addressed to DOD contractors, opened with a sinister welcome: “DOD contractors, you are welcome in our chat.” The message continued with a claim that the group had obtained sensitive documents from major defense contractors such as SpaceX, Lockheed Martin, and Boeing. According to the post, these documents, deemed as legal property, were allegedly valued at US$20,000. The group issued a stark warning, stating, “So we don’t think like that, and there our last warning. US$500k at least: you will pay for all data…” Source: Twitter US Department of Defense Contractor Cyberattack Claim Unverified Despite the alarming message about the DOD Contractor cyberattack, concerns regarding the authenticity of the claim arose when it was discovered that the official website of the targeted defense contractor was fully operational. This contradiction led to the question of the legitimacy of the ransomware group’s assertions. To delve deeper into the matter, The Cyber Express team took swift action, reaching out to the official representatives of the US Department of Defense contractor for verification. However, as of the time of compiling this report, no official response has been received, leaving the DOD Contractor cyberattack claim unverified. The potential targeting of defense contractors raises significant national security concerns. If the DOD Contractor cyberattack claims made by the Donut ransomware group are substantiated, it could pose a severe threat not only to the targeted contractors but also to the broader defense ecosystem. Threat Actors Focusing on High-profile Firms, Why? In recent years, ransomware attacks have become increasingly sophisticated and targeted, with threat actors focusing on high-profile organizations and critical infrastructure. This incident follows a string of cyber threats in January 2024 and in 2023, with the hacking group Phoenix taking credit for a Distributed Denial of Service (DDoS) attack on the US Congress website. The group explicitly targeted pages related to lobbying and online reporting in the United States, rendering the congressional website temporarily disabled. The hacker’s message confirming the attack was posted on their dark web channel. In a separate but equally alarming development, the Snatch ransomware group has alleged a data leak involving the personal information of President Joe Biden, his son Hunter Biden, and First Lady Jill Biden. The group claims to have leaked Personally Identifiable Information (PII) and other sensitive data, throwing the cybersecurity community into a state of concern. The authenticity of this data leak remains uncertain, pending an official statement from the White House regarding the alleged cyberattack on the 46th President of the United States. Adding to the growing list of cyber threats, the US branch of the Industrial and Commercial Bank of China (ICBC), one of the world’s largest banks, has fallen victim to a major ransomware attack. The inclusion of defense contractors in the victim list amplifies the gravity of such attacks, as it directly impacts the security and confidentiality of sensitive government information. The unfolding situation in the case of the DOD Contractor cyberattack emphasizes the critical role of collaboration between government agencies, cybersecurity experts, and private entities in addressing and mitigating the escalating cyber threats that pose a risk to national security and public safety. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Northern Light Healt ...

 Firewall Daily

Northern Light Health, Maine’s largest integrated healthcare system, found itself at the center of a cybersecurity incident on 4 February as several of its computer servers fell victim to a cyberattack. The health system, serving communities from Portland to Presque Isle, promptly addressed the Northern Light   show more ...

Health cyberattack, assuring the public that patient records remained secure. In a social media post shared on 4 February, the healthcare system acknowledged the cyberattack on Northern Light Health and emphasized its commitment to ensuring healthcare accessibility. The organization, composed of ten member hospitals, a physician-led medical group, nursing homes, emergency transport services, and primary care locations, employs over 12,000 individuals in the state. Response to the Northern Light Health Cyberattack  In response to the cyberattack, Northern Light Health took immediate action by temporarily taking patient records systems offline while initiating a thorough investigation into the server breach. Despite this disruption, the health system ensured that hospital operations continued seamlessly, with patient care remaining unaffected. The organization emphasized that staff is well-trained to handle such situations. Source: Northern Light Health on Facebook In a Facebook post, Northern Light Health addressed the circulating misinformation about the incident, clarifying that there is no evidence to suggest the compromise of patient information. They stated, “We have not been contacted by any third party, and there is no indication that any of our information is being held for ransom.” The organization further asserted full control over HVAC and security systems, refuting claims of vulnerability. Cyberattack on Northern Light Health: The Website is Still Down! The Northern Light Health cyberattack incident has been reported to the relevant authorities, and Northern Light Health remains committed to providing updates to patients, staff, and communities as more information becomes available. The organization expressed readiness to continue delivering high-quality care during the ongoing investigation. The Cyber Express, to learn more about this Northern Light Health cyberattack, reached out to the hospital chain. However, despite efforts to gather more details, access to the organization’s website is currently unavailable, leaving communication channels temporarily severed. As a result, the claims surrounding the cyberattack remain unconfirmed, leaving room for ongoing discussions and debates. Northern Light Health might be facing the aftermath of a cyberattack but they are emphasizing their dedication to patient privacy and the ongoing investigation into the incident. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information or official confirmation for the Northern Light Health cyberattack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for State Actors vs. Tec ...

 Firewall Daily

The impact of the massive Okta data breach lingers, continuing to provide an opportunistic terrain for hackers. Cloudflare, a prominent player in internet infrastructure and security, now faces the aftermath as it fell victim to a cyberattack. On February 2, 2024, the company disclosed that individuals suspected to be   show more ...

state-sponsored threat actors utilized pilfered Okta credentials, successfully breaching Cloudflare’s defenses. While the security team successfully thwarted the threat and protected sensitive data from being exposed, the Cloudflare cyberattack highlights two key points: firstly, that no one is immune, and secondly, it emphasizes the effectiveness of a resilient defense system in containing and preventing the spread of an attack. This comprehensive analysis provides a deeper view into the technical intricacies of the Cloudflare cyberattack, revealing strategic maneuvers employed by the threat actors. Despite their attempts to infiltrate Cloudflare’s Atlassian environment, swift responses, termination of compromised accounts, and collaboration with the forensic team ensured minimal impact on customer data. Decoding the Cloudflare Cyberattack: The Technical Side of the Intrusion The Cloudflare cyberattack attempt initially began when the threat actor started creating Atlassian accounts for persistent access and installing the Sliver Adversary Emulation Framework. Despite the intrusion and accessing the non-operational console server with 120 repositories, no data exfiltration occurred during the attack. Cloudflare’s response on November 23, terminating the Smartsheet service account and creating a user account, turned out to be pivotal development. Implementing firewall rules, removing the framework on November 24, and leveraging their security infrastructure stopped the threat actor’s attempts. Importantly, no evidence suggested access beyond the Atlassian suite. In response to this cyberattack on Cloudflare, the American IT company initiated security enhancements on November 24, rotating over 5,000 credentials and triaging nearly 5,000 systems.  In a blog post shared on February 2nd, Cloudflare concluded that no customers’ data was harmed by this cyber intrusion. “We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event. Because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools, the threat actor’s ability to move laterally was limited, reads the blog post.  The Okta Data Breach Connection The genesis of the cyberattack can be traced back to the compromise of Okta in October, setting the stage for a sophisticated nation-state actor to launch an attack on Cloudflare in mid-November. The threat actor’s meticulous reconnaissance from November 14 to 17 involved unauthorized access to Cloudflare’s internal wiki and bug database. Leveraging stolen credentials from the Okta breach, the threat actor secured persistent access on November 22. In the aftermath of the Okta security incident disclosed in October 2023, Okta Security revisited its initial analysis, uncovering fresh details that could impact customer security. The threat actor, responsible for the breach, ran a report on September 28, 2023, containing names and email addresses of all Okta customer support system users. While no sensitive personal data or user credentials were exposed, the risk of phishing and social engineering attacks targeting Okta customers is heightened. David Bradbury, Chief Security Officer at Okta, emphasized the organization’s commitment to fight online threats and protect customers in the face of cybersecurity challenges. However, despite no sensitive data being leaked in the breach, the threat actor had already started attacking attacking new victims via social engineering. The Cloudflare cyberattack was a direct product of the Okta breach. On November 24, both Cloudflare’s security team and CrowdStrike’s Forensic team engaged in an investigation into the nation-state threat actors, adding an extra layer of scrutiny to ensure a comprehensive understanding of the incident. Security Measures and Collaborative Efforts: The Code Red Project  Despite the threat actor’s attempt for a cyberattack on Cloudflare, the company’s formidable security infrastructure stood firm. No customer data or services were compromised, highlighting the efficacy of Cloudflare’s access controls, firewall rules, and the utilization of hard security keys within their Zero Trust framework. The collaboration with CrowdStrike not only provided validation but also exemplified the importance of multi-faceted responses to cyber threats. The launch of the “Code Red” Remediation Project on November 27 marked a critical phase in Cloudflare’s response. Encompassing a substantial portion of the technical staff, this initiative focused on fortifying controls within the environment. Over 5,000 production credentials underwent rotation, and forensic triages were conducted on nearly 4,900 systems to ensure a thorough denial of access to the threat actor. The primary target of the threat actor was Cloudflare’s Atlassian environment, where they gained access to documentation and a limited amount of source code. Notably, their attempt to access a console server in the São Paulo, Brazil data center was thwarted, showcasing the efficacy of Cloudflare’s non-enforced ACLs. In-depth scrutiny of 76 source code repositories revealed the threat actor’s focus on network configuration, identity management, and Cloudflare’s use of Terraform and Kubernetes. A meticulous examination of these repositories formed a significant part of the “Code Red” effort, aiming to prevent any potential exploitation of technical information about Cloudflare’s network operations. Conclusion and Ongoing Vigilance Following this nation-state-sponsored Cloudflare cyberattack, the American company extends gratitude to its team members for their prompt response, especially during the Thanksgiving holiday. The conclusion of the “Code Red” effort on January 5 signifies a significant milestone in securing Cloudflare’s systems. However, the company remains vigilant, actively engaging in ongoing work on credential management, software hardening, vulnerability management, and enhanced alerting capabilities. To assist other organizations in verifying whether the threat actor accessed their systems, Cloudflare has shared Indications of Compromise (IOCs).  Source: Cloudflare These include IP addresses and file hashes associated with the primary threat actor’s infrastructure. Organizations, especially those impacted by the Okta breach, can utilize these IOCs to bolster their security measures and ensure the threat actor’s absence from their systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for Pennsylvania Courts ...

 DDoS Attacks News

The Chief Justice of Pennsylvania, Debra Todd, revealed that the Pennsylvania Courts’ website is currently facing disruptions due to a denial of service (DDoS) attack. The DDos attack, identified today, has impacted various Pennsylvania court web services, including PACFile, online docket sheets, PAePay, and the   show more ...

Guardianship Tracking System. Chief Justice Todd assured the public that the Pennsylvania court’s information technology and executive team are collaborating with law enforcement agencies, including CISA, the U.S. Department of Homeland Security, and the FBI, to investigate the incident. “Out court information technology and executive team is working closely with law enforcement including the CISA, the U.S. Department of Homeland Security, and the F.B.I to investigate the incident,” said Chief Justice of Pennsylvania Debra Todd in an official statement. In the official release, Todd confirms that despite the disruption, there is currently no evidence suggesting the compromise of any court date, and the courts will remain open and accessible to the public. Implications of the DDoS Attack Potential Disruption of Legal Processes: The DDoS attack on Pennsylvania Courts’ website could potentially disrupt legal processes, affecting the filing of documents through PACFile and access to online docket sheets. This may pose challenges for lawyers, litigants, and other stakeholders who rely on these services for case-related information. Impact on Public Trust: Government websites are vital for public access to legal information and services. The disruption caused by the DDoS attack may erode public trust in the reliability and security of online court services. Rebuilding this trust will be crucial for maintaining the effectiveness of the judicial system. Increased Scrutiny on Cybersecurity Measures: This DDoS attack on Pennsylvania Courts’ website highlights the need for enhanced cybersecurity measures within government institutions. As cyber threats continue to evolve, governments must invest in security infrastructure to protect sensitive data and ensure the seamless operation of critical online services. Potential for Copycat Attacks: The visibility of this cyberattack on Pennsylvania Courts may inspire other threat actors to launch similar attacks on government websites. This could lead to a broader trend of DDoS attacks targeting legal and judicial systems, amplifying the need for proactive cybersecurity strategies. Geopolitical Implications: While the motive behind the DDoS attack on Pennsylvania Courts is yet to be determined, cyberattacks on government websites, as observed in other global incidents, sometimes carry geopolitical motivations. Analyzing the potential geopolitical implications of this DDoS attack will be crucial in understanding the broader context of cyber threats faced by states. Similar Incidents Raising Concern Pennsylvania Courts DDoS Attack raises concerns about the vulnerability of government websites to cyber threats, a trend also observed globally. In January 2024, Swiss government websites experienced a similar disruption orchestrated by a group known as ‘NoName,’ with alleged ties to Russia. The attack, identified by Switzerland’s National Cyber Security Centre (NCSC), temporarily disrupted access to several Swiss websites linked to the Federal Administration. The ‘NoName’ group claimed responsibility for their actions, citing geopolitical motivations related to Ukrainian President Volodymyr Zelensky’s attendance at the World Economic Forum. The Swiss authorities swiftly responded to the DDoS attack, ensuring no compromise or loss of data occurred. Similarly, the Maldives encountered a cyberattack resulting in the temporary unavailability of key government websites, including the President’s office, Foreign Ministry, and Tourism Ministry. The disruption, occurring on a Saturday night, was linked to derogatory remarks about India’s Prime Minister Narendra Modi made by three Maldives ministers. These incidents highlight the global challenge of securing government websites against cyber threats and the potential geopolitical motivations behind such attacks. Moreover, the DDoS attack on Pennsylvania Courts’ website not only disrupts essential services but also prompts a deeper analysis of the cybersecurity landscape for government institutions. It highlights the importance of proactive measures, international collaboration, and continuous evaluation of security protocols to mitigate the impact of cyber threats on critical public infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for From Intrusion to In ...

 Firewall Daily

The compromise of AnyDesk, a prominent remote desktop application distributed by AnyDesk Software GmbH, has caused quite a stir in the cybersecurity domain. This disclosure raises concerns given the software’s proprietary nature, offering platform-independent remote access to personal computers and various   show more ...

devices. On February 2, 2024, the company disclosed that a cyberattack on AnyDesk compromised production systems. The prospect of such software falling into the hands of cybercriminals is a significant source of concern, given its potential to provide unauthorized access to personal computers and other devices utilizing the host application. The cyberattack on AnyDesk came to light through a public statement, detailing the results of a security audit conducted in response to indications of a breach. “Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cybersecurity experts CrowdStrike,” read the official statement. While AnyDesk reassured users that the situation was under control, the crucial question lingers: what does this precisely entail? A thorough examination sheds light on the implications and potential repercussions stemming from this cybersecurity incident. Cyberattack on AnyDesk: Credentials Offered on Dark Web As a preemptive measure, AnyDesk urged all users to update their passwords, particularly those using identical credentials elsewhere. “As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere,” reads the official statement. However, the aftermath of the cyberattack has taken a more complex turn, with threat actors identified on the Dark Web selling access to compromised AnyDesk credentials. Resecurity, the cybersecurity firm, identified multiple threat actors involved in this illicit trade. One such actor, using the alias “Jobaaaaa,” listed over 18,000 AnyDesk customer credentials for sale on the Dark Web forum Exploit[.]in. The threat actor revealed that the compromised data was ideal for technical support scams and phishing activities. Source: Resecurity The discussion surrounding the AnyDesk data took an intriguing turn when a threat intelligence platform stated that the data being traded on the dark web did not stem from the recent breach but rather from historical infostealer infections. This sparked discussions on social media platform X about the timing and motive behind the credential sale, with Hudson Rock proposing that threat actors might be capitalizing on the situation—an assertion supported by Resecurity. Source: X Resecurity further emphasized that, as of February 4, numerous accounts persisted without updated passwords and lacked the additional layer of security provided by two-factor authentication (2FA). Source: X The provided examples from the threat actors to the cybersecurity firm were associated with compromised access credentials for both individual consumers and enterprises, allowing entry into the AnyDesk customer portal. As a security measure, the threat actor obscured some of the passwords. The actor suggested selling 18,317 accounts for $15,000, payable in cryptocurrency. Furthermore, there was a willingness to complete the transaction through escrow on Exploit. These compromised accounts, posed a potential threat, particularly considering the absence of 2FA on a majority of them. Potential Implications and Analysis The compromised credentials not only pose a direct risk to AnyDesk users but also raise concerns about potential downstream cyber threats. The information gleaned from the AnyDesk portal could provide threat actors with sensitive details about users, including license keys, active connections, session durations, customer IDs, contact information, and more. Moreover, the lack of 2FA on the majority of exposed accounts amplifies the risk, especially for IT administrators who frequently use AnyDesk. This situation creates a potential gateway for a devastating supply-chain attack, affecting AnyDesk’s enterprise customers. The timing of the unauthorized access, illustrated by shared screenshots, indicates that some users had not changed their access credentials post-incident disclosure. The complexity of implementing remediation measures for a large user base suggests that proper planning and threat modeling are essential for effective cybersecurity. Dark Web Activity and Potential Misuse The availability of compromised data on the Dark Web could fuel various cybercriminal activities, including targeted phishing campaigns. Cybercriminals armed with detailed customer information could launch sophisticated attacks, potentially leading to devastating consequences, akin to the SolarWinds-style attack. AnyDesk had informed its customers about planned maintenance starting on January 29, disabling login functionality during this period. Source: AnyDesk The company restored login functionality by February 1, with potential cybercriminals looking to exploit the situation before proactive measures are taken. Source: AnyDesk Historical Scams and Continued Threats Apart from the recent cyberattack, AnyDesk has been a target for online scammers who have previously abused the platform in various fraudulent schemes. Scenarios involving fake Microsoft technicians, impersonation of legitimate companies, and fictitious AnyDesk support staff have been reported. The compromised credentials may open the door for scammers and cybercriminals to launch new attacks, with the potential for increased success in account compromise due to additional customer details. Dark Web Threat The AnyDesk cyberattack highlights the evolving landscape of cyber threats and the need for constant vigilance. The compromised credentials listed on the Dark Web pose a significant risk to individual and enterprise customers. The cyberattack on AnyDesk highlights the importance of timely password resets, the implementation of 2FA, and heightened awareness to mitigate potential risks associated with cyberattacks. AnyDesk users are strongly advised to update their passwords, enable 2FA, and exercise caution against potential phishing attempts. The cyberattack on AnyDesk coincides with attacks on major entities like Cloudflare, Microsoft, and Hewlett Packard Enterprise, potentially linked to a nation-state actor (Midnight Blizzard / Nobelium). Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

image for AnyDesk Compromised, ...

 Feed

Production systems at the remote access company were breached, leading AnyDesk to revoke code signing certificate and reset Web portal credentials as part of its incident response.

 Trends, Reports, Analysis

The second half of 2023 saw a significant increase in the scale and sophistication of DDoS attacks, with the maximum attack power rising to 1.6 Tbps, according to data by Gcore.

 Trends, Reports, Analysis

The decline in the number of ransomware victims paying a ransom is attributed to better business resilience, assistance from the FBI, and the realization that paying for intangible promises is not effective.

 Feed

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

 Feed

Debian Linux Security Advisory 5615-1 - It was discovered that runc, a command line client for running applications packaged according to the Open Container Format (OCF), was susceptible to multiple container break-outs due to an internal file descriptor leak.

 Feed

Ubuntu Security Notice 6592-2 - USN-6592-1 fixed vulnerabilities in libssh. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that libssh incorrectly handled the ProxyCommand and the ProxyJump features. A remote attacker could possibly use this issue to inject malicious code into the command of the features mentioned through the hostname parameter.

 Feed

This Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.

 Feed

Gentoo Linux Security Advisory 202402-10 - Multiple vulnerabilities have been found in NBD Tools, the worst of which could result in arbitrary code execution. Versions greater than or equal to 3.24 are affected.

 Feed

runc versions 1.1.11 and below, as used by containerization technologies such as Docker engine and Kubernetes, are vulnerable to an arbitrary file write vulnerability. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.

 Feed

Debian Linux Security Advisory 5614-1 - Two vulnerabilities were discovered in zbar, a library for scanning and decoding QR and bar codes, which may result in denial of service, information disclosure or potentially the execution of arbitrary code if a specially crafted code is processed.

 Feed

Ubuntu Security Notice 6622-1 - David Benjamin discovered that OpenSSL incorrectly handled excessively long X9.42 DH keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. Sverker Eriksson discovered that OpenSSL incorrectly handled POLY1304 MAC on   show more ...

the PowerPC architecture. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.

 Feed

Gentoo Linux Security Advisory 202402-6 - Multiple vulnerabilities have been discovered in FreeType, the worst of which can lead to remote code execution. Versions greater than or equal to 2.13.0 are affected.

 Feed

Gym Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original credit for this finding goes to Jyotsna Adhana in October of 2020 but uses a different vector of attack for this software version.

 Feed

Gentoo Linux Security Advisory 202402-5 - Multiple vulnerabilities have been discovered in Microsoft Edge, the worst of which could lead to remote code execution. Versions greater than or equal to 120.0.2210.61 are affected.

 Feed

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week. Propagated via phishing mails, Mispadu is a Delphi-based information stealer

 Feed

The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group's Pegasus spyware, according to joint findings from Access Now and the Citizen Lab. Nine of the 35 individuals have been publicly confirmed as targeted, out of whom six had their devices compromised with the mercenary

 Feed

A significant challenge within cyber security at present is that there are a lot of risk management platforms available in the market, but only some deal with cyber risks in a very good way. The majority will shout alerts at the customer as and when they become apparent and cause great stress in the process. The issue being that by using a reactive, rather than proactive approach, many risks

 Feed

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy. Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between

 Feed

Companies are engaged in a seemingly endless cat-and-mouse game when it comes to cybersecurity and cyber threats. As organizations put up one defensive block after another, malicious actors kick their game up a notch to get around those blocks. Part of the challenge is to coordinate the defensive abilities of disparate security tools, even as organizations have limited resources and a dearth of

 Feed

A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business. Aliaksandr Klimenka, who was arrested in Latvia on December 21, 2023, was extradited to the U.S. If convicted, he faces a maximum penalty of 25 years in prison. BTC-e, which had

 Cyber Security News

Source: securityboulevard.com – Author: Marc Handelman Authors/Presenters: Jinyan Xu, Yiyuan Liu, Sirui He, Haoran Lin, Yajin Zhou, Cong Wang Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating   show more ...

from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube […] La entrada USENIX Security ’23 – MorFuzz: Fuzzing Processor Via Runtime Instruction Morphing enhanced Synchronizable Co-simulation – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini US government imposed sanctions on six Iranian intel officials Pierluigi Paganini February 04, 2024 The US government issued sanctions against six Iranian government officials linked to cyberattacks against critical infrastructure organizations.  The U.S.   show more ...

Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions on six Iranian government officials […] La entrada US government imposed sanctions on six Iranian intel officials – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AnyDesk

Source: www.databreachtoday.com – Author: 1 Breach Notification , Cybercrime , Fraud Management & Cybercrime Company Says Problem Remediated, All Security-Related Certificates Revoked Prajeet Nair (@prajeetspeaks) • February 4, 2024     Image: Shutterstock Remote desktop application provider AnyDesk   show more ...

acknowledged hackers recently gained unauthorized access to the company’s production systems in a cyberattack. See Also: Live […] La entrada AnyDesk Confirms Cyber Incident, Pushes Out Password Reset – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AnyDesk

Source: www.govinfosecurity.com – Author: 1 Breach Notification , Cybercrime , Fraud Management & Cybercrime Company Says Problem Remediated, All Security-Related Certificates Revoked Prajeet Nair (@prajeetspeaks) • February 4, 2024     Image: Shutterstock Remote desktop application provider AnyDesk   show more ...

acknowledged hackers recently gained unauthorized access to the company’s production systems in a cyberattack. See Also: Live […] La entrada AnyDesk Confirms Cyber Incident, Pushes Out Password Reset – Source: www.govinfosecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.troyhunt.com – Author: Troy Hunt Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes: Last week, someone reached it to me with […]   show more ...

La entrada How Spoutible’s Leaky API Spurted out a Deluge of Personal Data – Source: www.troyhunt.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AnyDesk

Source: www.darkreading.com – Author: Becky Bracken, Editor, Dark Reading 1 Min Read Source: Seemanta Dutta via AlamyStock Photo AnyDesk, which provides a remote desktop application providing access, file transfer, and VPN functionality for endpoints, has announced that its production systems have been   show more ...

compromised, and that it plans to revoke all its security-related certificates and reset […] La entrada AnyDesk Compromised, Passwords Revoked – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: socprime.com – Author: Veronika Telychko In January 2023, SOC Prime launched The Prime Hunt, an open-source browser add-on acting as a single platform-agnostic UI for threat hunters, regardless of a security solution in use. For over one year since The Prime Hunt launch, we have been working on the tool   show more ...

enhancements, broadening the supported […] La entrada The Prime Hunt v1.4.2: Chronicle Security Support & Mail Templates for Streamlined IOC Sharing – Source: socprime.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Feb 05, 2024NewsroomCyber Espionage / Cyber Extortion The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy. Slovak cybersecurity firm ESET   show more ...

said it uncovered 12 espionage apps, six of which […] La entrada Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-02
Aggregator history
Monday, February 05
THU
FRI
SAT
SUN
MON
TUE
WED
FebruaryMarchApril